Behavioural economics enables effective security training writes Bruce Hallas, who spoke on security awareness, behaviour and culture at the first Security TWENTY event of 2018, ST18 at Nottingham.
CISOs are worried, but not about what you might think. Yes, they have concerns about technology, hackers and malware, but what worries them most is their own people. According to a recent cross-sector survey of their peers by the Ponemon Institute, the ‘human factor’ is considered the biggest threat to security. This situation stems from the traditional approaches to security training, which focus on raising awareness. Yet successive studies have shown that simply ‘raising awareness’ has limited direct correlation with transforming organisation-wide behaviour and bringing about cultural change. And this is because most education awareness programmes are designed on flawed assumptions and an incomplete understanding of what make humans behave the way we do – instead of like machines.
For centuries, we believed that if anyone is presented with good, logical information – such as a security policy – they would process that information logically and respond to it by duly complying. But, this sort of ‘training’ has proven time and again to be ineffective at best; it ultimately slows things down, creates unnecessary barriers and, in the worst circumstances, means that what we want to happen never actually happens at all.
More recently the science of Behavioural Economics (the science of which has won three Nobel Prizes to date), neurology and ideas of cognitive bias have shed light on human behaviour and how people react in different situations. The cat is out of the bag; humans, it appears, are not rational creatures after all. Instead of carefully weighing up facts to make sensible choices, humans often make rash decisions based on scant information, misguided thinking and ill-informed “knowledge”. Think about texting and driving, smoking or overeating; all of these vices come with risk and none can be logically explained, but even so masses of people continue to do them against all the advice and guidelines of those in authority.
Behavioural Economics sheds light on this ‘gut instinct reasoning’ and helps explain why communication campaigns and transformation programmes that appeal solely to logic often don’t just fail, but can actually reinforce already entrenched attitudes. Anyone who has challenged someone’s worldview – such as a ‘leave’ supporter extolling Brexit benefits to a ‘remain’ supporter – will have experienced the ‘backfire effect’ as the participants become ever more stubborn. Yet most information security awareness strategies, aimed at influencing security behaviour, are based on the same idea of disseminating ideals, logic and data, trying to change behaviour through rational argument, when in fact doing nothing would give a similar outcome.
If there is one thing that the whole area of behavioural research reveals, it is that facts on their own are powerless to affect change, or at least so open to misinterpretation to effectively make them so. That’s because how we respond to them is intimately connected to our own individual preferences and inclinations, and what gives us pleasure or pain. Given this background, we are not so much using reason to arrive at the best decision, but rather we are looking to construct a rationale for the bias in making the choices that we do.
This realm of behavioural economics and the insights it offers have widespread applicability, not least to the world of information security awareness and security behaviour. It can guide CISOs in designing more effective information security awareness campaigns. By applying a knowledge of Behavioural Economics, heuristics – the rules of thumb that are hard-wired into us – and cognitive bias, it is possible to create highly effective mechanisms that can help us design information security training programmes that are more effective at changing behaviour – the result we actually want. This provides a means to influence the choices of others in specific directions and to favourably alter security behaviour creating the context in which people make decisions about information security awareness.
The principles of Behavioural Economics have been proven and are successfully used in massive global enterprises today – like Facebook, Google and TripAdvisor – all using these ideas and principles to influence audience behaviour. Governments in the UK and US have also implemented learnings from this new science in designing tax credit, financial and retirement planning and health systems for citizens for example. Importantly, the same principals can help security professionals re-think the human factor, by designing and implementing education and awareness programmes that bring about long lasting change, maximise employee efficacy as guardians of information, and increase the likelihood of compliance with security policies. But, more importantly, taking the final step to embedding this behaviour deep in the heart of the organisational culture.
Picture by Mark Rowe; street sign, south London.
